GitLab Team Report

Security checks across malware telemetry and agentic risk

Overview

This GitLab reporting skill is mostly purpose-aligned, but it needs review because it can set up recurring automatic Feishu uploads and overwrite Feishu document contents without a clear per-run confirmation.

Review before installing. Use a least-privilege GitLab token, keep config files private, inspect generated reports before uploading, avoid running setup-cron.sh unless recurring Feishu publication is intended, and prefer creating a new Feishu document rather than passing an existing document URL unless overwriting it is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill instructs use of local configuration files, shell scripts, Python scripts, report generation, and optional Feishu upload, which implies file, shell, environment, and network access, yet no explicit permissions are declared. This creates a transparency and governance gap: users or the platform may not realize the skill can read local config, write reports, and transmit data externally.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The generated report HTML loads ECharts from a third-party CDN at runtime, so opening a local report causes the client to contact an external service and execute remote JavaScript. This creates a supply-chain and privacy risk: viewers' browsers may leak access patterns, and compromised CDN content could run arbitrary script in the context of the report page.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The cron entry unconditionally chains `./scripts/upload-to-feishu.sh` after report generation, even though the skill description says Feishu publishing is optional. This can cause unintended external publication of weekly reports and metadata on every scheduled run, which is a real confidentiality and data-governance risk if reports contain internal engineering details.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger text includes several broad, natural phrases such as requests for weekly reports, engineering summaries, HTML reports, and Feishu publishing. Broad activation language can cause unintended invocation of a skill that reads local config, processes repository activity, writes files, and may publish data externally.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The description advertises optional Feishu publishing but does not clearly warn that report content, contributor summaries, MR metadata, and links may be sent to an external service. This omission increases the risk of accidental data exfiltration or disclosure of internal engineering information.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: When a target document URL is supplied, the script unconditionally clears the existing Feishu document via clearDocumentContent() before writing new content, with no confirmation prompt, dry-run mode, or explicit overwrite flag at execution time. In an automation/reporting skill, this can destroy unrelated or important document contents if the URL is wrong, stale, or attacker-influenced through config/arguments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal